As the industry increases the use of mobile devices, there is a problem when users work in a mixed environment of desktop machines and mobile devices.
Beyond interface issues associated with the smaller device screens of mobile devices, enterprises face a plethora of security related issues when allowing these mobile devices to access enterprise assets. Yet, there is a tremendous need for allowing access to assets via mobile devices since this is the manner in which people work and communicate nowadays and since the growth of mobile usage has been exponential in recent years.
Consider the security issue associated with the corporate credentials or secrets, such as name and passwords, which can be stored on a user's mobile device. Various vendors, such as Apple® have tried to make this safer by providing a “keychain.” The keychain provides a place where credentials can be encrypted on the device for safer storage. The problem is that the credentials are still stored on the device, and if the device is lost or stolen, the corporate credentials can be discovered and exposed. The amount of work to get the credentials varies greatly depending on the device state. Some examples of a device state can be suspension or hibernation. In addition access to the credentials might depend on if they were ever cached in memory. In either case, if a device is lost the user or administrator must change all corporate passwords that were stored on the lost device. This is further compounded as the user may not realize the device is lost and or be able to signal the system that they lost his/her device. Once the loss of the device is discovered the user or administrator has no way to know if the secrets have been discovered.
In addition, storing the password on the device means it must be sent from the mobile device to a backend enterprise service. This adds a risk that the password may be discovered while it is being sent and is exposed on a network.
Lastly, Apple® mobile devices that use iOS, separate keychains on the device for each application and are not shared. This means that if more than one application needs the same credentials they must be entered and stored once for each application. This introduces the possibility of transcription errors as well as exposure to the passwords.
As stated above and for other reasons, security is an issue of import when enterprises attempt to integrate mobile device access to enterprise assets.